Skip to content

graphql-validation

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History

graphql-validation

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
apis.yaml
apis.yaml
 
 
membrane.cmd
membrane.cmd
 
 
membrane.sh
membrane.sh
 
 
proxies.xml
proxies.xml
 
 
requests.http
requests.http
 
 

README.md

Validation - GraphQL

Check GraphQL-over-HTTP requests, enforcing several limits and restrictions to mitigate the attack surface of GraphQL APIs.

Running the Example

  1. Navigate to the examples/graphql/graphql-validation directory in a terminal.
  2. Start the API Gateway by executing membrane.sh (Linux/Mac) or membrane.cmd (Windows).
  3. Query the protected API by opening the requests.http file in VS Code or IntelliJ IDEA to execute the querries.

How it works

Let's examine the proxies.xml file.

<router>
  <api port="2000">
    <request>
      <graphQLProtection maxRecursion="2" />
    </request>
    <target url="https://www.predic8.de/fruit-shop-graphql" />
  </api>
</router>

We define an <api> component with the graphQLProtection plugin inside, running on port 2000 and routing to Fruit Shop GraphQL.
We validate requests only; using the default configuration of the plugin (except for recursion):

  • Don't allow GraphQL extensions.
  • Only allow queries over HTTP methods GET and POST.
  • Max recursion depth of 2 (so it catches before nesting depth in this example).
  • Max nesting depth of 7.
  • Maximum number of mutations in a query of 5.

See: